best practise sharing in protection against advanced persistent threats...
TRANSCRIPT
Ngô Việt Khôi | Country Manager
Trend Micro Vietnam & Cambodia
Chủ động phòng chống tấn công có chủ đích (APT)
CRIMEWARE
D
am
age c
aused b
y C
yberc
rim
e
Xu hướng hiểm họa mạng từ sau 2012
2001 2003 2004 2005 2007 2010
Vulnerabi l i t ies
Worm
Outbreaks
Spam
Mass Mailers
Spyware
Intel l igent
Botnets
Web
Threats
Social
Engineering
Single Shot
Malware
Data
Exfiltration
Evolution to Cybercrime
3/17/2014 2 Confidential | Copyright 2012 Trend Micro Inc.
2011+
Targeted
Attacks
Mobile
Threats
Data
Leakage
Proximity
Attacks
BYOD
Copyright 2012 Trend Micro Inc. 3
Repeated damages caused by APT
The series of attacks which intend to penetrate inside of target firms and organizations
using several methods like Emails with malicious program attached or exploiting
vulnerabilities to steal information or hijack computers communicating with the
external parties.
Advanced
Persistent Attack
・ for fun
・ for a justice
・ for money
・ spying
・ agitation
・ terrorism
< Examples of principal motives >
Khai thác các lỗ hổng bảo mất trên các public
server cho các đợt tấn công trực tiếp từ bên ngoài .
Sử dụng các kỹ thuật như social engineering đánh
vào thói quen sử dụng của người dùng để xâm
nhập hệ thống và lây lan trong hệ thống nạn nhân
< 2 typical types of penetration in Advanced Persistent Attack >
Attacker
Gathers intelligence
about organization and
individuals
Employees
Targets individuals
using social engineering
Establishes
Command &
Control server
Moves laterally across
network seeking data of
interest
Extracts data
of interest – can go
undetected for months!
$$$$
Tấn công hiện đại: Thân thiện, Phức tạp, Dai dẳng!
Copyright 2013 Trend Micro Inc.
Attacker
Gathers intelligence
about organization and
individuals
Employees
Targets individuals
using social engineering
Establishes
Command &
Control server
Moves laterally across
network seeking data of
interest
Extracts data
of interest – can go
undetected for months!
$$$$
3/17/2014 6 Confidential | Copyright 2013 Trend Micro Inc.
“Business emails are projected to reach over
143 billion by the end of 2016 1…
…73% of enterprises stated they employ
company email to send highly confidential
information2”
1 http://www.radicati.com/wp/wp-content/uploads/2012/04/Email-Statistics-Report-2012-2016- Executive-Summary.pdf
2 http://www.phonefactor.com/news/survey-reveals-sensitive-email-lacks-critical-security-controls.php
3 http://www.gartner.com/id=2046315
4 http://gcn.com/articles/2009/01/22/aiim-study-on-pdf-format.aspx
Poppular Email attachment:
• Microsoft Word & Microsoft
Office Suites
• Enterprise: 90% of docs
storage in PDF….89% convert
Word file to PDF
Thách thức với ATTT hiện tại
• Firewall and IDS/IPS are complete ineffective
– Open standard ports and protocols for access
• Organizations don’t know they’re being targeted
– Low and Slow – stealthy, unlike a virus outbreak.
• AV just doesn’t work with APT
– 63% of malware used in APT are customized
• Employees are the weakest link in security
– Spear-phishing a common tactic
• Vulnerabilities & Zero-day Exploits
– What percentage of your servers and endpoints are patched?
Thực tế hiểm họa ngày nay - Dễ tấn công và khó bị phát hiện
3/17/2014 8 Confidential | Copyright 2012 Trend Micro Inc.
Verizon 2013 data breach
investigation report
Consumerization
Cloud &
Virtualization
Employees IT
Cyber Threats
Attackers
Copyright 2013 Trend Micro Inc.
Consumers
Email &
Messaging
Web
Access
File/Folder &
Removable Media
IT Admin
Employees
Then…
Copyright 2013 Trend Micro Inc.
Device Hopping
Consumers
Email &
Messaging
Web
Access
Collaboration
Cloud Sync
& Sharing
Social
Networking File/Folder &
Removable Media
Employees
IT Admin
Now!
Copyright 2013 Trend Micro Inc.
Email &
Messaging
Web
Access
Collaboration
Cloud Sync
& Sharing
Social
Networking File/Folder &
Removable Media
IT Admin
Security
91% targeted attacks begin with spear-phishing1
1 million malicious Android apps by end of 20132
1 in 5 use Dropbox at work, typically against rules3
1. Trend Micro: “Spear Phishing Email: Most Favored APT Attack Bait”, Nov 2012
2. Trend Micro Threat Predictions for 2013
3. Global survey of 1300 enterprise customers; “Shadow IT in the Enterprise”, Nasuni, Sept 2012
Device Hopping
Employees
Copyright 2013 Trend Micro Inc.
Employees
Complete End User Protection
Device Hopping
Email &
Messaging
Web
Access
Collaboration
Cloud Sync
& Sharing
Social
Networking File/Folder &
Removable Media
Anti-Malware Encryption Application
Control
Device
Management Data Loss
Prevention
Content
Filtering
IT Admin
Security
Copyright 2013 Trend Micro Inc.
Trend Micro | March 22, 2013
Cyber-attacks in S. Korea Heightens Changes in Threat Landscape
3/17/2014 14 Confidential | Copyright 2013 Trend Micro Inc.
Destroying 48,700 computers in SK (PC, Server, Kiosk)
http://news.zum.com/articles/6052921?c=08
http://www.yonhapnews.co.kr/it/2013/04/03/2404000000AKR20130403111251017.HTML 3/17/2014 16 Confidential | Copyright 2013 Trend Micro Inc.
Cyberwarfare - Targeted Attack
3/20, 2 PM 3/19 8 months ago (2012/6/28)
Erase Logs Web server logs,
Firewall logs and Server
logs
Retrieve Admin
Privileges Controlling DNS and Dispatching
malwares
1,590 accesses to FIs using 1,000 IP addresses in 40 countries
overseas
Attack Vulnerabilities Web
servers, PC (admin, users), Internal
servers
http://koreajoongangdaily.joinsmsn.com/news/article/Article.aspx?aid=2969240
http://www.yonhapnews.co.kr/society/2013/04/10/0701000000AKR20130410160500017.HTML
http://article.joinsmsn.com/news/article/article.asp?total_id=11195858&ctg=1000&cloc=joongang|home|newslist1
DETECTED
& BLOCKED
Spear Phishing
Patch? - Server & Endpoint
- Malware (Hidden Trojan)
- Hacker (Remote control)
Password? - Nobody Knows
Internal action
Brute-force Attack
- Decrypted (hash) password
Detectable? - Connecting to suspicious IP
- Normal access with abnormal behavior
Do nothing (just for health check)
Keep querying data
Visibility? - Comprise computers
How to infiltrate?
How severe?
- Steal sensitive data
Data exfiltration?
Data breach?
Have we Prepared?
Are we Targeted?
3/17/2014 17 Confidential | Copyright 2013 Trend Micro Inc.
Attack Characteristics • Spear-Phishing emails
– Arrives via spammed email, connects to malicious URLS • hxxp:// www. Clickflower. net/board/images/start_car.gif
• hxxp:// www .6885 .com/ uploads/fb9c6013f1b269b74c8cd139471b96fc/feng.jpg
• Waterhole Attack – A recent attack method – where legitimate website or servers which
targeted individual will likely to visit, are compromised with malware.
– Upon connecting the sites/servers, client will be compromised and injected with malicious code, such as MBR wiping Trojan, TROJ_KILLMBR.SM
– One of the patch management server breached was related to AhnLab’s (KR’s leading local AV vendor) update server inside customer’s premise
• Self-Destruction – Overwriting of compromised PC’s Master Boot Record (MBR). Making this
difficult to analyze and investigate.
– MBR on server systems were also targeted for deletion. Potentially disrupting mission critical IT services.
19 Copyright 2012 Trend Micro Inc.
Kỹ thuật tấn công 1: Social Engineering Email
20 Copyright 2012 Trend
Micro Inc.
Attacker Social engineering
emails with
malicious attachments
Malicious C&C
websites
Ahnlab's Update
Servers
wipe out
files
Destroy
MBR
Destroy
MBR
wipe out
files
Unix/Linux Server Farm
Windows endpoints
Victimized
Business
Email is top attacking
channel in targeted attack
Kỹ thuật tấn công 2: Multiple Custom Malware
21 Copyright 2012 Trend
Micro Inc.
Attacker
Malicious C&C
websites
Ahnlab's Update
Servers
wipe out
files
Destroy
MBR
Destroy
MBR
wipe out
files
Unix/Linux Server Farm
Windows endpoints
Victimized
Business
A total of 76 tailor-made
malware were used, in which
9 were destructive, while the
other 67 were used for
penetration and monitoring.
Kỹ thuật tấn công 3: Watering Hole Attacks
22 Copyright 2012 Trend
Micro Inc.
Attacker
Malicious C&C
websites
Ahnlab's Update
Servers
Leverage legitimate
update mechanism to
deploy malware to
endpoints faster
wipe out
files
Destroy
MBR
Destroy
MBR
wipe out
files
Unix/Linux Server Farm
Windows endpoints
Victimized
Business
Ahnlab's APC server does
not require login credentials
to access.
Kỹ thuật 4: tấn công Server có lựa chọn
23 Copyright 2012 Trend
Micro Inc.
Attacker
Malicious C&C
websites
Ahnlab's Update
Servers
wipe out
files
Destroy
MBR
Destroy
MBR
wipe out
files
Unix/Linux Server Farm
Windows endpoints
Victimized
Business
Gain server login
credentials from infected
clients to initiate remote
attacks Monitoring the server
activities to get the server
access right and send the
damage command to destroy
server system
March 31, 2013 Confidential | Copyright 2012 Trend Micro Inc.
Inspiration 1
Có khả năng phát hiện có hiệu
quả các email email attack và
những tấn công khác không?
March 19, 2013
Social engineering emails with malware code
25 March 31, 2013 Confidential | Copyright 2012 Trend Micro Inc.
Inspiration 2
March 19, 2013
Infect the update server to distribute malware
Có khả năng phân tích các
công cụ tấn công ngay tại chỗ
không?
26 March 31, 2013 Confidential | Copyright 2012 Trend Micro Inc.
Inspiration 3
Có khả năng liên tục tạo ra
các signature để hệ thống
phòng thủ kịp thích ứng
không?
March 20, 2013
Malicious routine executed on schedule
27 March 31, 2013 Confidential | Copyright 2012 Trend Micro Inc.
Inspiration 4
Tổ chức có đủ khả năng để tự
phản ứng với những sự cố
hay phải kêu gọi sự trợ giúp
chuyên nghiệp từ bên ngoài? March 20, 2013
Trend Micro đã bảo vệ khách hàng như thế nào?
3/17/2014 28 Confidential | Copyright 2013 Trend Micro Inc.
Deep Discovery Solutions
• Network traffic inspection
• Advanced threat detection
• Real-time analysis & reporting
Deep Discovery
Inspector
Deep Discovery
Advisor
Deep Discovery provides the visibility, insight and control you
need to protect your company against APTs and targeted attacks
Targeted Attack/APT Detection
In-Depth Contextual Analysis
Rapid Containment & Response
• Custom scalable Sandbox
• Deep investigation & analysis
Endpoint
Mail Web
Data Center
Network
Custom Defense Strategy
Deep Discovery Inspector &
Deep Discovery Advisor Cloud Security
30 30 Confidential | Copyright 2013 Trend Micro Inc.
Detect malware,
communications and
behavior invisible to
standard defenses
Analyze the risk and
characteristics of the
attack and attacker
Adapt security
automatically (IP black lists,
custom signatures…)
Respond using the
insight needed to
respond to your specific
attackers
The customized nature of targeted attacks has changed the threat landscape.
there's no silver bullet for advanced threat attack.
Enterprises need to improve abilities to:
Deep Discovery Inspector - Capture all signals
3/17/2014 31 Confidential | Copyright 2012 Trend Micro Inc.
Malicious content
• Embedded doc exploits
• Drive-by downloads
• Zero-day
• Malware
Suspicious
communication
• C&C access
• Data stealing
• Worms
• Backdoor activity…
Attack behavior
• Propagation & dropper
• Vuln. scan & bruteforce
• Data exfiltration…
HTTP
SMTP
TCP
...
SMB
DNS
FTP
P2P
80+
protocols
Network Content
Inspection Engine
Advanced Threat
Security Engine
IP & URL reputation
Virtual Analyzer
Network Content
Correlation Engine
Sandbox analysis Zero day Attack
• Custom OS Image
• accelerated time
• Anti-VM detection
• 32 & 64 bits
• Code execution, documents & URL
3/17/2014 32 Confidential | Copyright 2012 Trend
Micro Inc.
WinXP SP3 Win7 Base
Isolated Network
Your Custom Sandbox
Live monitoring
• core integration(hook, dll injection..)
• Monitoring network flows
• Correlation of events
Filesystem
monitor
Registry
monitor
Process
monitor
Rootkit
scanner
Network
driver
Fake
Explorer
Fake
Server Fake AV
API
Hooks
Win7 Hardened
Core Threat Simulator
LoadLibraryA ARGs: ( NETAPI32.dll ) Return value: 73e50000
LoadLibraryA ARGs: ( OLEAUT32.dll ) Return value: 75de0000
LoadLibraryA ARGs: ( WININET.dll ) Return value: 777a0000
key: HKEY_CURRENT_USER\Local
Settings\MuiCache\48\52C64B7E\LanguageList value:
key: HKEY_CURRENT_USER\Software\Microsoft\Onheem\20bi1d4f
Write: path: %APPDATA%\Ewada\eqawoc.exe type: VSDT_EXE_W32
Injecting process ID: 2604 Inject API: CreateRemoteThread Target process
ID: 1540 Target image path: taskhost.exe
socket ARGs: ( 2, 2, 0 ) Return value: 28bfe
socket ARGs: ( 23, 1, 6 ) Return value: 28c02
window API Name: CreateWindowExW ARGs: ( 200, 4b2f7c, , 50300104,
0, 0, 250, fe, 301b8, f, 4b0000, 0 ) Return value: 401b2
internet_helper API Name: InternetConnectA ARGs: ( cc0004,
mmlzntponzkfuik.biz, 10050, , , 3, 0, 0 ) Return value: cc0008
.......
Modifies file with infectible type : eqawoc.exe
Inject processus : 2604 taskhost.exe
Access suspicious host : mmlzntponzkfuik.biz
!
DEEP DISCOVERY
INSPECTOR (DDI)
DDI detects the
email and
attachment through
heuristics as
HEUR_NAMETRIC
K.B
Attachment is sent
to Virtual Analyzer
for sandbox
analysis.
IT admin obtains
results from
sandbox , performs
necessary steps
(URL blocking,
etc.). THREAT
AVERTED.
How TrendMicro protects customer from the threat
Deep Discovery Inspector provides visibility of network activity and actionable threat intelligence that IT
administrators can use to implement security measures to prevent further infections.
An email is sent to
an employee,
posing as a
message from a
bank. The email
has malicious
attachment.
3/17/2014 33 Confidential | Copyright 2013 Trend Micro Inc.
3/17/2014 34 Confidential | Copyright 2013 Trend Micro Inc.
With sandbox analysis, DDI detected the suspicious email and
identified its attachment as a Trojan downloader
DDI successfully detect the email attack with Early Warnings
Sandbox Analysis Provided Intelligence for Response
35 C
op
yri
gh
t
20
12
Tr
en
d
Mi
cr
o
In
c.
The sandbox analysis discovered the suspicious behaviors of the Trojan and
provided the malicious URL and IP addresses. The customer then set up a rule
in the firewall/IPS to prevent the attacker from accessing infected machines or
downloading additional malware
• Advanced threat analytics
• Correlating local and global threat intelligence
Copyright 2013 Trend Micro Inc.
Analyst endorsement
37 Copyright 2012 Trend Micro Inc.
Gartner
Deep Discovery wins best new product
Korea Deep Discovery customers
Reference
Public Sector FSI Enterprises
Trend Micro Deep Discovery protects
• Major banks
• Government agencies & many more
Over 600 Enterprise and Government
Customers
Global Security
& Logistics Co.
http://enterprise.apac.trendmicro.com/APT/
A Custom Attack Needs a Custom Defense
3/17/2014 40 Confidential | Copyright 2013 Trend Micro Inc.
Thank you
3/17/2014 41 Confidential | Copyright 2013 Trend Micro Inc.